hswaw/machines/printmaster: cups server box

Change-Id: Ibf75d9bad789521bfab77fb17017b20030deed52 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1894 Reviewed-by: informatic <informatic@hackerspace.pl>
2024-02-01 23:01:24 +01:00 · 2024-02-01 23:01:24 +01:00 · c8d1d51c11
parent d63ed67aa7
commit c8d1d51c11
5 changed files with 249 additions and 0 deletions
--- a/hswaw/machines/printmaster.waw.hackerspace.pl/configuration.nix
+++ b/hswaw/machines/printmaster.waw.hackerspace.pl/configuration.nix
@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./scanning.nix
+      ./printing.nix
+    ];
+
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+
+  networking.hostName = "printmaster";
+  networking.enableIPv6 = false;
+  networking.firewall.enable = true;
+  time.timeZone = "Europe/Warsaw";
+
+  nix.extraOptions = ''
+    experimental-features = nix-command
+  '';
+
+  users.users = {
+    root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXhpZR8NUyJe9ud92uxavLuLLRVMUpqFOUTE0x35JHgve6Qo+IqlmszlmDGtTBqLlR/ZeXw0Rb7aq6rsrM20zmPMl/XQygwzE72dUZVnw4CWlzakI6qntU4FvnpjxMy3dz3KvYUtjf+p44tEuyU64s9TLKipX58GwTtVCKO1gmSI1I+3Ng0hxcXveMln+uH7Wa5LXJhGcyXTbnUXGpp97tXLWxG5xO46kwsmRhBd2MfodeeWe+nB0tVNE/sNybOwPNfzVu/U9wylyjdQ1/CBR9sNNYxT3RhuEwXKW/Unf/0ekB5j9VMpfMNwBMz714Ml3FKGsqacJL8Z0bJuPpveG1P4IYRS6x9pxPb4pgbBO9RZXIC8YQuqdBWulQo76SSEp5yCAkHFdQ3YX7em8zROpaVdZUBRUkwKdflt5PYjcv06rDNLKLoHbVhfZcPkkqKGsP/EA7ioARTezWAWRqc3CMXCnAH2CQLOeuvHmdQ2hqg3QZV8yZd/UzpyW8KjjkEMs= frederic@dedusmuln-macos.local"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQb3YQoiYFZLKwvHYKbu1bMqzNeDCAszQhAe1+QI5SLDOotclyY/vFmOReZOsmyMFl71G2d7d+FbYNusUnNNjTxRYQ021tVc+RkMdLJaORRURmQfEFEKbai6QSFTwErXzuoIzyEPK0lbsQuGgqT9WaVnRzHJ2Q/4+qQbxAS34PuR5NqEkmn4G6LMo3OyJ5mwPkCj9lsqz4BcxRaMWFO3mNcwGDfSW+sqgc3E8N6LKrTpZq3ke7xacpQmcG5DU9VO+2QVPdltl9jWbs3gXjmF92YRNOuKPVfAOZBBsp8JOznfx8s9wDgs7RwPmDpjIAJEyoABqW5hlXfqRbTnfnMvuR"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD3ujDBU/w0J37TQKro5lSmb3H2vGkbllsSxrD+aGAC6/5AosPLVxOXlWUH+P8ljeHsrZRiGhq9nBaafXXvMz7D8EIFqOH6mG1sG+pFL4M0/weebRutYiwRhPn5dl9ABij+lY2ETBP8K3anPXbyHHaSZW3GTNIJbmwVlP5jYfFEzXs5v6jYpMqDZ6i3HRaDDXxp7b9ZHc5LECEvepeO2T4MlTMUSa4bntP2ZzgWKoGkC+Bpyr98ug1hGoYiRGH2Cu9shjnPSopqd/YVCBNQ917FasnGLf8rNmUtNZycE0CPYHrf6N4SslkxSbfz3i+lAsdJLo53eBdn474yryrG0DtZJA8kacBxUWrLIFrWLDHkTlOx/UrdFWV55hMkmc2uo7MvO8nGuqATRoqZwSnYRLhHU8fpZHoOXlwCVoW9fcDOTgukUYHQCbQnfiS3H5ikE5vXxAHpzPE0pZ5o+YvrE0VVSwpB0aaSt55nY8762Q2y89clvjdoGwP7p7TL8M032QGFq2PAMY/+GY01zq+qswg7uEetU8Ccam9U4XoeB8XV7ocBNvGT/1PCfXwami5335SrB6+UHq6aU93ZSqc5lXl0KhrrhwuPDjN67nN3OtoeHsbwhyv+o5QJGB4ahWFs7G37Cxj/KffgdKQnvTLSzidA6uEXqFCjq8FNuEGeG+cKHw=="
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    wget
+    neofetch
+    git
+    fd
+    vim
+  ];
+
+  services.openssh.enable = true;
+
+  swapDevices = [{ device = "/swapfile"; size = 2 * 1024; }];
+  system.stateVersion = "23.11";
+}
--- a/hswaw/machines/printmaster.waw.hackerspace.pl/hardware-configuration.nix
+++ b/hswaw/machines/printmaster.waw.hackerspace.pl/hardware-configuration.nix
@ -0,0 +1,34 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enu1u1u1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
--- a/hswaw/machines/printmaster.waw.hackerspace.pl/printing.nix
+++ b/hswaw/machines/printmaster.waw.hackerspace.pl/printing.nix
@ -0,0 +1,84 @@
+{ pkgs, ... }:
+
+{
+  hardware.printers = {
+    ensurePrinters = [
+      {
+        name = "DYMO_LabelWriter450";
+        location = "HSWAW";
+        # FIXME: roll back to previous serial whenever we switch back to the
+        # deep fried printer
+        deviceUri = "usb://DYMO/LabelWriter%20450?serial=07080922282341";
+        # deviceUri = "usb://DYMO/LabelWriter%20450?serial=14070417114480";
+        model = "lw450.ppd";
+        ppdOptions = {
+          PageSize = "w102h252";
+        };
+      }
+
+      {
+        name = "Zebra_GK420T";
+        location = "HSWAW";
+        deviceUri = "socket://10.8.1.22:9100";
+        model = "drv:///sample.drv/zebra.ppd";
+        ppdOptions = {
+          PageSize = "w288h432";
+          MediaType = "Thermal";
+          Resolution = "203dpi";
+        };
+      }
+
+      {
+        name = "Brother_MFC8380DN";
+        location = "HSWAW";
+        deviceUri = "socket://10.8.1.21";
+        model = "BR8380.ppd";
+        ppdOptions = {
+          PageSize = "A4";
+        };
+      }
+    ];
+
+    ensureDefaultPrinter = "DYMO_LabelWriter450";
+  };
+
+    services = {
+    avahi = {
+      enable = true;
+      nssmdns = true;
+      openFirewall = true;
+      publish = {
+        enable = true;
+        userServices = true;
+      };
+    };
+    printing = {
+      enable = true;
+      defaultShared = true;
+      browsing = true;
+      openFirewall = true;
+      allowFrom = [ "all" ];
+      listenAddresses = [ "*:631" ];
+      drivers = [
+        # Workaround for broken multi-copies printing on LW450
+        (pkgs.cups-dymo.overrideAttrs (old: {
+          postPatch = ''
+            sed -i 's/cupsManualCopies: False/cupsManualCopies: True/g' ppd/*
+          '';
+        }))
+
+        # Official Brother PPD
+        (pkgs.runCommand ''cups-brother'' { } ''
+          mkdir -p $out/share/cups/model
+          gunzip --stdout ${pkgs.fetchurl {
+            url = "https://download.brother.com/welcome/dlf006311/BR8380_2_GPL.ppd.gz";
+            hash = "sha256-d7Kly2z8ALLV+j2Zmh3knpqiELFS4wf+4MfgNYeC0hQ=";
+          }} > $out/share/cups/model/BR8380.ppd
+        '')
+      ];
+
+      # Requests coming from beyondspace use printmaster.waw.hackerspace.pl:631 host header which Cups doesn't like - let's just allow all
+      extraConf = "ServerAlias *";
+    };
+  };
+}
--- a/hswaw/machines/printmaster.waw.hackerspace.pl/scanning.nix
+++ b/hswaw/machines/printmaster.waw.hackerspace.pl/scanning.nix
@ -0,0 +1,74 @@
+{ pkgs, ...}:
+
+{
+  # Samba server exposed for Brother scanner - exposed on http://printmaster.waw.hackerspace.pl/brother/
+  services.samba = {
+    enable = true;
+    securityType = "user";
+    openFirewall = true;
+    extraConfig = ''
+      workgroup = WORKGROUP
+      client min protocol = NT1
+      server min protocol = NT1
+
+      server string = printmaster
+      netbios name = printmaster
+
+      # note: localhost is the ipv6 localhost ::1
+      hosts allow = 10.8.1. 10.8.0. 127.0.0.1 localhost
+      hosts deny = 0.0.0.0/0
+      guest account = nobody
+      map to guest = bad user
+    '';
+
+    shares = {
+      brother = {
+        path = "/run/brother";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "yes";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "nobody";
+        "force group" = "nogroup";
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."printmaster.waw.hackerspace.pl" = {
+      locations."/brother/" = {
+        alias = "/run/brother/";
+        extraConfig = "autoindex on;";
+      };
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+      "d /run/brother 1777 nobody nogroup 1d"
+  ];
+
+  # FTP-to-mail proxy used for paperless
+  systemd.services.ftpserver = let ftpserver-bin = pkgs.fetchzip {
+      url = "https://github.com/fclairamb/ftpserver/releases/download/v0.13.0/ftpserver_0.13.0_linux_arm64.tar.gz";
+      hash = "sha256-HMaE2vM4HpD80aUxt5mI0ZUexHT7XEOJPnHqwO+W01Q=";
+      stripRoot = false;
+    }; in {
+    # TODO move ftpserver.json to secrets
+    script = ''
+      ${ftpserver-bin}/ftpserver -conf /etc/ftpserver.json
+    '';
+
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    # ftpserver
+    2121
+
+    # nginx
+    80
+  ];
+}
--- a/ops/hive.nix
+++ b/ops/hive.nix
@ -72,6 +72,13 @@ in
          sha256 = "1k71lmzdaa48yqkmsnd22n177qmxxi4gj2qcmdbv0mc6l4f27wd0";
        })
        { };
+
+      "printmaster.waw.hackerspace.pl" = import
+        (fetchTarball {
+          url = "https://api.github.com/repos/NixOS/nixpkgs/tarball/56911ef3403a9318b7621ce745f5452fb9ef6867";
+          sha256 = "0jf6pnz4s5w9p35wd584hy7p6r5aaq1khfdxv2c1nqnmss05nn2b";
+        })
+        { system = "aarch64-linux"; };
    };

    allowApplyAll = false;
@ -101,4 +108,9 @@ in
  "tv1.waw.hackerspace.pl" = import ../hswaw/machines/tv/tv1.nix;
  "tv2.waw.hackerspace.pl" = import ../hswaw/machines/tv/tv2.nix;
  "sound.waw.hackerspace.pl" = import ../hswaw/machines/sound.waw.hackerspace.pl/configuration.nix;
+  "arcade.waw.hackerspace.pl" = import ../hswaw/machines/arcade.waw.hackerspace.pl/configuration.nix;
+  "printmaster.waw.hackerspace.pl" = { ... }: {
+    imports = [ ../hswaw/machines/printmaster.waw.hackerspace.pl/configuration.nix ];
+    deployment.buildOnTarget = true;
+  };
 }